diff options
-rw-r--r-- | INSTALL | 3 | ||||
-rw-r--r-- | crypto/build.info | 2 | ||||
-rw-r--r-- | crypto/cmp/build.info | 2 | ||||
-rw-r--r-- | crypto/cmp/cmp_asn.c | 398 | ||||
-rw-r--r-- | crypto/cmp/cmp_err.c | 35 | ||||
-rw-r--r-- | crypto/cmp/cmp_int.h | 589 | ||||
-rw-r--r-- | crypto/crmf/crmf_asn.c | 6 | ||||
-rw-r--r-- | crypto/crmf/crmf_int.h | 6 | ||||
-rw-r--r-- | crypto/crmf/crmf_lib.c | 4 | ||||
-rw-r--r-- | crypto/crmf/crmf_pbm.c | 6 | ||||
-rw-r--r-- | crypto/err/err.c | 1 | ||||
-rw-r--r-- | crypto/err/err_all.c | 2 | ||||
-rw-r--r-- | crypto/err/openssl.ec | 1 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_ITAV_set0.pod | 105 | ||||
-rw-r--r-- | doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod | 2 | ||||
-rw-r--r-- | doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod | 2 | ||||
-rw-r--r-- | doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod | 2 | ||||
-rw-r--r-- | doc/man3/OSSL_CRMF_MSG_set_validity.pod | 2 | ||||
-rw-r--r-- | doc/man3/OSSL_CRMF_pbmp_new.pod | 2 | ||||
-rw-r--r-- | doc/man3/X509_dup.pod | 23 | ||||
-rw-r--r-- | doc/man3/d2i_X509.pod | 20 | ||||
-rw-r--r-- | include/openssl/cmp.h | 243 | ||||
-rw-r--r-- | include/openssl/cmperr.h | 32 | ||||
-rw-r--r-- | include/openssl/crmf.h | 6 | ||||
-rw-r--r-- | include/openssl/err.h | 2 | ||||
-rw-r--r-- | util/libcrypto.num | 302 |
26 files changed, 1632 insertions, 166 deletions
@@ -314,6 +314,9 @@ Don't build the CAPI engine. This option will be forced if on a platform that does not support CAPI. + no-cmp + Don't build support for CMP features + no-cms Don't build support for CMS features diff --git a/crypto/build.info b/crypto/build.info index 629e819b8a..7798bcbe18 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -5,7 +5,7 @@ SUBDIRS=objects buffer bio stack lhash rand evp asn1 pem x509 conf \ md2 md4 md5 sha mdc2 gmac hmac ripemd whrlpool poly1305 blake2 \ siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \ seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \ - err comp ocsp cms ts srp cmac ct async kmac ess crmf + err comp ocsp cms ts srp cmac ct async kmac ess crmf cmp LIBS=../libcrypto # The Core diff --git a/crypto/cmp/build.info b/crypto/cmp/build.info new file mode 100644 index 0000000000..6b6ccaaf49 --- /dev/null +++ b/crypto/cmp/build.info @@ -0,0 +1,2 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]= cmp_asn.c cmp_err.c diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c new file mode 100644 index 0000000000..8555586dfd --- /dev/null +++ b/crypto/cmp/cmp_asn.c @@ -0,0 +1,398 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + * + * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. + */ + +#include <openssl/asn1t.h> + +#include "cmp_int.h" + +/* explicit #includes not strictly needed since implied by the above: */ +#include <openssl/cmp.h> +#include <openssl/crmf.h> + +/* ASN.1 declarations from RFC4210 */ +ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = { + /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */ + ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER), + ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, certId, OSSL_CRMF_CERTID), + ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, willBeRevokedAt, ASN1_GENERALIZEDTIME), + ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, badSinceDate, ASN1_GENERALIZEDTIME), + ASN1_OPT(OSSL_CMP_REVANNCONTENT, crlDetails, X509_EXTENSIONS) +} ASN1_SEQUENCE_END(OSSL_CMP_REVANNCONTENT) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT) + + +ASN1_SEQUENCE(OSSL_CMP_CHALLENGE) = { + ASN1_OPT(OSSL_CMP_CHALLENGE, owf, X509_ALGOR), + ASN1_SIMPLE(OSSL_CMP_CHALLENGE, witness, ASN1_OCTET_STRING), + ASN1_SIMPLE(OSSL_CMP_CHALLENGE, challenge, ASN1_OCTET_STRING) +} ASN1_SEQUENCE_END(OSSL_CMP_CHALLENGE) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE) + + +ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYCHALLCONTENT) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, + OSSL_CMP_POPODECKEYCHALLCONTENT, OSSL_CMP_CHALLENGE) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYCHALLCONTENT) + + +ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYRESPCONTENT) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, + OSSL_CMP_POPODECKEYRESPCONTENT, ASN1_INTEGER) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYRESPCONTENT) + + +ASN1_SEQUENCE(OSSL_CMP_CAKEYUPDANNCONTENT) = { + /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ + ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, oldWithNew, X509), + /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ + ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithOld, X509), + /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ + ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithNew, X509) +} ASN1_SEQUENCE_END(OSSL_CMP_CAKEYUPDANNCONTENT) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT) + + +ASN1_SEQUENCE(OSSL_CMP_ERRORMSGCONTENT) = { + ASN1_SIMPLE(OSSL_CMP_ERRORMSGCONTENT, pKIStatusInfo, OSSL_CMP_PKISI), + ASN1_OPT(OSSL_CMP_ERRORMSGCONTENT, errorCode, ASN1_INTEGER), + /* + * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING + * so it is used directly + * + */ + ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ERRORMSGCONTENT, errorDetails, ASN1_UTF8STRING) +} ASN1_SEQUENCE_END(OSSL_CMP_ERRORMSGCONTENT) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT) + +ASN1_ADB_TEMPLATE(infotypeandvalue_default) = ASN1_OPT(OSSL_CMP_ITAV, + infoValue.other, ASN1_ANY); +/* ITAV means InfoTypeAndValue */ +ASN1_ADB(OSSL_CMP_ITAV) = { + /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ + ADB_ENTRY(NID_id_it_caProtEncCert, ASN1_OPT(OSSL_CMP_ITAV, + infoValue.caProtEncCert, X509)), + ADB_ENTRY(NID_id_it_signKeyPairTypes, + ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, + infoValue.signKeyPairTypes, X509_ALGOR)), + ADB_ENTRY(NID_id_it_encKeyPairTypes, + ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, + infoValue.encKeyPairTypes, X509_ALGOR)), + ADB_ENTRY(NID_id_it_preferredSymmAlg, + ASN1_OPT(OSSL_CMP_ITAV, infoValue.preferredSymmAlg, + X509_ALGOR)), + ADB_ENTRY(NID_id_it_caKeyUpdateInfo, + ASN1_OPT(OSSL_CMP_ITAV, infoValue.caKeyUpdateInfo, + OSSL_CMP_CAKEYUPDANNCONTENT)), + ADB_ENTRY(NID_id_it_currentCRL, + ASN1_OPT(OSSL_CMP_ITAV, infoValue.currentCRL, X509_CRL)), + ADB_ENTRY(NID_id_it_unsupportedOIDs, + ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, + infoValue.unsupportedOIDs, ASN1_OBJECT)), + ADB_ENTRY(NID_id_it_keyPairParamReq, + ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamReq, + ASN1_OBJECT)), + ADB_ENTRY(NID_id_it_keyPairParamRep, + ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamRep, + X509_ALGOR)), + ADB_ENTRY(NID_id_it_revPassphrase, + ASN1_OPT(OSSL_CMP_ITAV, infoValue.revPassphrase, + OSSL_CRMF_ENCRYPTEDVALUE)), + ADB_ENTRY(NID_id_it_implicitConfirm, + ASN1_OPT(OSSL_CMP_ITAV, infoValue.implicitConfirm, + ASN1_NULL)), + ADB_ENTRY(NID_id_it_confirmWaitTime, + ASN1_OPT(OSSL_CMP_ITAV, infoValue.confirmWaitTime, + ASN1_GENERALIZEDTIME)), + ADB_ENTRY(NID_id_it_origPKIMessage, + ASN1_OPT(OSSL_CMP_ITAV, infoValue.origPKIMessage, + OSSL_CMP_MSGS)), + ADB_ENTRY(NID_id_it_suppLangTags, + ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.suppLangTagsValue, + ASN1_UTF8STRING)), +} ASN1_ADB_END(OSSL_CMP_ITAV, 0, infoType, 0, + &infotypeandvalue_default_tt, NULL); + + +ASN1_SEQUENCE(OSSL_CMP_ITAV) = { + ASN1_SIMPLE(OSSL_CMP_ITAV, infoType, ASN1_OBJECT), + ASN1_ADB_OBJECT(OSSL_CMP_ITAV) +} ASN1_SEQUENCE_END(OSSL_CMP_ITAV) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ITAV) +IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV) + +OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value) +{ + OSSL_CMP_ITAV *itav; + + if (type == NULL || (itav = OSSL_CMP_ITAV_new()) == NULL) + return NULL; + OSSL_CMP_ITAV_set0(itav, type, value); + return itav; +} + +void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type, + ASN1_TYPE *value) +{ + itav->infoType = type; + itav->infoValue.other = value; +} + +ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav) +{ + if (itav == NULL) + return NULL; + return itav->infoType; +} + +ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav) +{ + if (itav == NULL) + return NULL; + return itav->infoValue.other; +} + +int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p, + OSSL_CMP_ITAV *itav) +{ + int created = 0; + + if (itav_sk_p == NULL) + goto err; + + if (*itav_sk_p == NULL) { + if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL) + goto err; + created = 1; + } + if (itav != NULL) { + if (!sk_OSSL_CMP_ITAV_push(*itav_sk_p, itav)) + goto err; + } + return 1; + err: + if (created != 0) { + sk_OSSL_CMP_ITAV_free(*itav_sk_p); + *itav_sk_p = NULL; + } + return 0; +} + +ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = { + /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ + ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0), + ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert, + OSSL_CRMF_ENCRYPTEDVALUE, 1), +} ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) + + +ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = { + ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert, + OSSL_CMP_CERTORENCCERT), + ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey, + OSSL_CRMF_ENCRYPTEDVALUE, 0), + ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo, + OSSL_CRMF_PKIPUBLICATIONINFO, 1) +} ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR) + + +ASN1_SEQUENCE(OSSL_CMP_REVDETAILS) = { + ASN1_SIMPLE(OSSL_CMP_REVDETAILS, certDetails, OSSL_CRMF_CERTTEMPLATE), + ASN1_OPT(OSSL_CMP_REVDETAILS, crlEntryDetails, X509_EXTENSIONS) +} ASN1_SEQUENCE_END(OSSL_CMP_REVDETAILS) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS) + + +ASN1_ITEM_TEMPLATE(OSSL_CMP_REVREQCONTENT) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_REVREQCONTENT, + OSSL_CMP_REVDETAILS) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_REVREQCONTENT) + + +ASN1_SEQUENCE(OSSL_CMP_REVREPCONTENT) = { + ASN1_SEQUENCE_OF(OSSL_CMP_REVREPCONTENT, status, OSSL_CMP_PKISI), + ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, revCerts, OSSL_CRMF_CERTID, + 0), + ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, crls, X509_CRL, 1) +} ASN1_SEQUENCE_END(OSSL_CMP_REVREPCONTENT) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT) + + +ASN1_SEQUENCE(OSSL_CMP_KEYRECREPCONTENT) = { + ASN1_SIMPLE(OSSL_CMP_KEYRECREPCONTENT, status, OSSL_CMP_PKISI), + ASN1_EXP_OPT(OSSL_CMP_KEYRECREPCONTENT, newSigCert, X509, 0), + ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, caCerts, X509, 1), + ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, keyPairHist, + OSSL_CMP_CERTIFIEDKEYPAIR, 2) +} ASN1_SEQUENCE_END(OSSL_CMP_KEYRECREPCONTENT) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT) + + +ASN1_ITEM_TEMPLATE(OSSL_CMP_PKISTATUS) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_UNIVERSAL, 0, status, ASN1_INTEGER) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_PKISTATUS) + +ASN1_SEQUENCE(OSSL_CMP_PKISI) = { + ASN1_SIMPLE(OSSL_CMP_PKISI, status, OSSL_CMP_PKISTATUS), + /* + * CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING + * so it is used directly + */ + ASN1_SEQUENCE_OF_OPT(OSSL_CMP_PKISI, statusString, ASN1_UTF8STRING), + /* + * OSSL_CMP_PKIFAILUREINFO is effectively ASN1_BIT_STRING so used directly + */ + ASN1_OPT(OSSL_CMP_PKISI, failInfo, ASN1_BIT_STRING) +} ASN1_SEQUENCE_END(OSSL_CMP_PKISI) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKISI) +IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI) + +ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = { + ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING), + ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER), + ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI) +} ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS) + +ASN1_ITEM_TEMPLATE(OSSL_CMP_CERTCONFIRMCONTENT) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_CERTCONFIRMCONTENT, + OSSL_CMP_CERTSTATUS) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CERTCONFIRMCONTENT) + +ASN1_SEQUENCE(OSSL_CMP_CERTRESPONSE) = { + ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, certReqId, ASN1_INTEGER), + ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, status, OSSL_CMP_PKISI), + ASN1_OPT(OSSL_CMP_CERTRESPONSE, certifiedKeyPair, + OSSL_CMP_CERTIFIEDKEYPAIR), + ASN1_OPT(OSSL_CMP_CERTRESPONSE, rspInfo, ASN1_OCTET_STRING) +} ASN1_SEQUENCE_END(OSSL_CMP_CERTRESPONSE) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE) + +ASN1_SEQUENCE(OSSL_CMP_POLLREQ) = { + ASN1_SIMPLE(OSSL_CMP_POLLREQ, certReqId, ASN1_INTEGER) +} ASN1_SEQUENCE_END(OSSL_CMP_POLLREQ) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ) + +ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREQCONTENT) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_POLLREQCONTENT, + OSSL_CMP_POLLREQ) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREQCONTENT) + +ASN1_SEQUENCE(OSSL_CMP_POLLREP) = { + ASN1_SIMPLE(OSSL_CMP_POLLREP, certReqId, ASN1_INTEGER), + ASN1_SIMPLE(OSSL_CMP_POLLREP, checkAfter, ASN1_INTEGER), + ASN1_SEQUENCE_OF_OPT(OSSL_CMP_POLLREP, reason, ASN1_UTF8STRING), +} ASN1_SEQUENCE_END(OSSL_CMP_POLLREP) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREP) + +ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREPCONTENT) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, + OSSL_CMP_POLLREPCONTENT, + OSSL_CMP_POLLREP) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREPCONTENT) + +ASN1_SEQUENCE(OSSL_CMP_CERTREPMESSAGE) = { + /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ + ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_CERTREPMESSAGE, caPubs, X509, 1), + ASN1_SEQUENCE_OF(OSSL_CMP_CERTREPMESSAGE, response, OSSL_CMP_CERTRESPONSE) +} ASN1_SEQUENCE_END(OSSL_CMP_CERTREPMESSAGE) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE) + +ASN1_ITEM_TEMPLATE(OSSL_CMP_GENMSGCONTENT) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENMSGCONTENT, + OSSL_CMP_ITAV) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENMSGCONTENT) + +ASN1_ITEM_TEMPLATE(OSSL_CMP_GENREPCONTENT) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENREPCONTENT, + OSSL_CMP_ITAV) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENREPCONTENT) + +ASN1_ITEM_TEMPLATE(OSSL_CMP_CRLANNCONTENT) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, + OSSL_CMP_CRLANNCONTENT, X509_CRL) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CRLANNCONTENT) + +ASN1_CHOICE(OSSL_CMP_PKIBODY) = { + ASN1_EXP(OSSL_CMP_PKIBODY, value.ir, OSSL_CRMF_MSGS, 0), + ASN1_EXP(OSSL_CMP_PKIBODY, value.ip, OSSL_CMP_CERTREPMESSAGE, 1), + ASN1_EXP(OSSL_CMP_PKIBODY, value.cr, OSSL_CRMF_MSGS, 2), + ASN1_EXP(OSSL_CMP_PKIBODY, value.cp, OSSL_CMP_CERTREPMESSAGE, 3), + ASN1_EXP(OSSL_CMP_PKIBODY, value.p10cr, X509_REQ, 4), + ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecc, OSSL_CMP_POPODECKEYCHALLCONTENT, 5), + ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecr, OSSL_CMP_POPODECKEYRESPCONTENT, 6), + ASN1_EXP(OSSL_CMP_PKIBODY, value.kur, OSSL_CRMF_MSGS, 7), + ASN1_EXP(OSSL_CMP_PKIBODY, value.kup, OSSL_CMP_CERTREPMESSAGE, 8), + ASN1_EXP(OSSL_CMP_PKIBODY, value.krr, OSSL_CRMF_MSGS, 9), + ASN1_EXP(OSSL_CMP_PKIBODY, value.krp, OSSL_CMP_KEYRECREPCONTENT, 10), + ASN1_EXP(OSSL_CMP_PKIBODY, value.rr, OSSL_CMP_REVREQCONTENT, 11), + ASN1_EXP(OSSL_CMP_PKIBODY, value.rp, OSSL_CMP_REVREPCONTENT, 12), + ASN1_EXP(OSSL_CMP_PKIBODY, value.ccr, OSSL_CRMF_MSGS, 13), + ASN1_EXP(OSSL_CMP_PKIBODY, value.ccp, OSSL_CMP_CERTREPMESSAGE, 14), + ASN1_EXP(OSSL_CMP_PKIBODY, value.ckuann, OSSL_CMP_CAKEYUPDANNCONTENT, 15), + ASN1_EXP(OSSL_CMP_PKIBODY, value.cann, X509, 16), + ASN1_EXP(OSSL_CMP_PKIBODY, value.rann, OSSL_CMP_REVANNCONTENT, 17), + ASN1_EXP(OSSL_CMP_PKIBODY, value.crlann, OSSL_CMP_CRLANNCONTENT, 18), + ASN1_EXP(OSSL_CMP_PKIBODY, value.pkiconf, ASN1_ANY, 19), + ASN1_EXP(OSSL_CMP_PKIBODY, value.nested, OSSL_CMP_MSGS, 20), + ASN1_EXP(OSSL_CMP_PKIBODY, value.genm, OSSL_CMP_GENMSGCONTENT, 21), + ASN1_EXP(OSSL_CMP_PKIBODY, value.genp, OSSL_CMP_GENREPCONTENT, 22), + ASN1_EXP(OSSL_CMP_PKIBODY, value.error, OSSL_CMP_ERRORMSGCONTENT, 23), + ASN1_EXP(OSSL_CMP_PKIBODY, value.certConf, OSSL_CMP_CERTCONFIRMCONTENT, 24), + ASN1_EXP(OSSL_CMP_PKIBODY, value.pollReq, OSSL_CMP_POLLREQCONTENT, 25), + ASN1_EXP(OSSL_CMP_PKIBODY, value.pollRep, OSSL_CMP_POLLREPCONTENT, 26), +} ASN1_CHOICE_END(OSSL_CMP_PKIBODY) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY) + +ASN1_SEQUENCE(OSSL_CMP_PKIHEADER) = { + ASN1_SIMPLE(OSSL_CMP_PKIHEADER, pvno, ASN1_INTEGER), + ASN1_SIMPLE(OSSL_CMP_PKIHEADER, sender, GENERAL_NAME), + ASN1_SIMPLE(OSSL_CMP_PKIHEADER, recipient, GENERAL_NAME), + ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, messageTime, ASN1_GENERALIZEDTIME, 0), + ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, protectionAlg, X509_ALGOR, 1), + ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderKID, ASN1_OCTET_STRING, 2), + ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipKID, ASN1_OCTET_STRING, 3), + ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, transactionID, ASN1_OCTET_STRING, 4), + ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderNonce, ASN1_OCTET_STRING, 5), + ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipNonce, ASN1_OCTET_STRING, 6), + /* + * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING + * so it is used directly + */ + ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, freeText, ASN1_UTF8STRING, 7), + ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, generalInfo, + OSSL_CMP_ITAV, 8) +} ASN1_SEQUENCE_END(OSSL_CMP_PKIHEADER) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER) + +ASN1_SEQUENCE(CMP_PROTECTEDPART) = { + ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER), + ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY) +} ASN1_SEQUENCE_END(CMP_PROTECTEDPART) +IMPLEMENT_ASN1_FUNCTIONS(CMP_PROTECTEDPART) + +ASN1_SEQUENCE(OSSL_CMP_MSG) = { + ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER), + ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY), + ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0), + /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ + ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1) +} ASN1_SEQUENCE_END(OSSL_CMP_MSG) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_MSG) +IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG) + +ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_MSGS, + OSSL_CMP_MSG) +ASN1_ITEM_TEMPLATE_END(OSSL_CMP_MSGS) diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c new file mode 100644 index 0000000000..b85b8bac82 --- /dev/null +++ b/crypto/cmp/cmp_err.c @@ -0,0 +1,35 @@ +/* + * Generated by util/mkerr.pl DO NOT EDIT + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <openssl/err.h> +#include <openssl/cmperr.h> + +#ifndef OPENSSL_NO_ERR + +static const ERR_STRING_DATA CMP_str_functs[] = { + {0, NULL} +}; + +static const ERR_STRING_DATA CMP_str_reasons[] = { + {0, NULL} +}; + +#endif + +int ERR_load_CMP_strings(void) +{ +#ifndef OPENSSL_NO_ERR + if (ERR_func_error_string(CMP_str_functs[0].error) == NULL) { + ERR_load_strings_const(CMP_str_functs); + ERR_load_strings_const(CMP_str_reasons); + } +#endif + return 1; +} diff --git a/crypto/cmp/cmp_int.h b/crypto/cmp/cmp_int.h new file mode 100644 index 0000000000..e78968aaa1 --- /dev/null +++ b/crypto/cmp/cmp_int.h @@ -0,0 +1,589 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + * + * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. + */ + +#ifndef OSSL_HEADER_CMP_INT_H +# define OSSL_HEADER_CMP_INT_H + +# include "internal/cryptlib.h" + +# include <openssl/cmp.h> +# include <openssl/err.h> + +/* explicit #includes not strictly needed since implied by the above: */ +# include <openssl/crmf.h> +# include <openssl/ossl_typ.h> +# include <openssl/safestack.h> +# include <openssl/x509.h> +# include <openssl/x509v3.h> + +/* + * ########################################################################## + * ASN.1 DECLARATIONS + * ########################################################################## + */ + +/*- + * RevAnnContent ::= SEQUENCE { + * status PKIStatus, + * certId CertId, + * willBeRevokedAt GeneralizedTime, + * badSinceDate GeneralizedTime, + * crlDetails Extensions OPTIONAL + * -- extra CRL details (e.g., crl number, reason, location, etc.) + * } + */ +typedef struct OSSL_cmp_revanncontent_st { + ASN1_INTEGER *status; + OSSL_CRMF_CERTID *certId; + ASN1_GENERALIZEDTIME *willBeRevokedAt; + ASN1_GENERALIZEDTIME *badSinceDate; + X509_EXTENSIONS *crlDetails; +} OSSL_CMP_REVANNCONTENT; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT) + +/*- + * Challenge ::= SEQUENCE { + * owf AlgorithmIdentifier OPTIONAL, + * + * -- MUST be present in the first Challenge; MAY be omitted in + * -- any subsequent Challenge in POPODecKeyChallContent (if + * -- omitted, then the owf used in the immediately preceding + * -- Challenge is to be used). + * + * witness OCTET STRING, + * -- the result of applying the one-way function (owf) to a + * -- randomly-generated INTEGER, A. [Note that a different + * -- INTEGER MUST be used for each Challenge.] + * challenge OCTET STRING + * -- the encryption (under the public key for which the cert. + * -- request is being made) of Rand, where Rand is specified as + * -- Rand ::= SEQUENCE { + * -- int INTEGER, + * -- - the randomly-generated INTEGER A (above) + * -- sender GeneralName + * -- - the sender's name (as included in PKIHeader) + * -- } + * } + */ +typedef struct OSSL_cmp_challenge_st { + X509_ALGOR *owf; + ASN1_OCTET_STRING *witness; + ASN1_OCTET_STRING *challenge; +} OSSL_CMP_CHALLENGE; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE) + +/*- + * CAKeyUpdAnnContent ::= SEQUENCE { + * oldWithNew Certificate, + * newWithOld Certificate, + * newWithNew Certificate + * } + */ +typedef struct OSSL_cmp_cakeyupdanncontent_st { + X509 *oldWithNew; + X509 *newWithOld; + X509 *newWithNew; +} OSSL_CMP_CAKEYUPDANNCONTENT; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT) + +/*- + * declared already here as it will be used in OSSL_CMP_MSG (nested) and + * infoType and infoValue + */ +typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS) + +/*- + * InfoTypeAndValue ::= SEQUENCE { + * infoType OBJECT IDENTIFIER, + * infoValue ANY DEFINED BY infoType OPTIONAL + * } + */ +struct OSSL_cmp_itav_st { + ASN1_OBJECT *infoType; + union { + char *ptr; + /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */ + X509 *caProtEncCert; + /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */ + STACK_OF(X509_ALGOR) *signKeyPairTypes; + /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */ + STACK_OF(X509_ALGOR) *encKeyPairTypes; + /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */ + X509_ALGOR *preferredSymmAlg; + /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */ + OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo; + /* NID_id_it_currentCRL - CRL */ + X509_CRL *currentCRL; + /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */ + STACK_OF(ASN1_OBJECT) *unsupportedOIDs; + /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */ + ASN1_OBJECT *keyPairParamReq; + /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */ + X509_ALGOR *keyPairParamRep; + /* NID_id_it_revPassphrase - Revocation Passphrase */ + OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase; + /* NID_id_it_implicitConfirm - ImplicitConfirm */ + ASN1_NULL *implicitConfirm; + /* NID_id_it_confirmWaitTime - ConfirmWaitTime */ + ASN1_GENERALIZEDTIME *confirmWaitTime; + /* NID_id_it_origPKIMessage - origPKIMessage */ + OSSL_CMP_MSGS *origPKIMessage; + /* NID_id_it_suppLangTags - Supported Language Tags */ + STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue; + /* this is to be used for so far undeclared objects */ + ASN1_TYPE *other; + } infoValue; +} /* OSSL_CMP_ITAV */; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV) +DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV) + + +typedef struct OSSL_cmp_certorenccert_st { + int type; + union { + X509 *certificate; + OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert; + } value; +} OSSL_CMP_CERTORENCCERT; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) + +/*- + * CertifiedKeyPair ::= SEQUENCE { + * certOrEncCert CertOrEncCert, + * privateKey [0] EncryptedValue OPTIONAL, + * -- see [CRMF] for comment on encoding + * publicationInfo [1] PKIPublicationInfo OPTIONAL + * } + */ +typedef struct OSSL_cmp_certifiedkeypair_st { + OSSL_CMP_CERTORENCCERT *certOrEncCert; + OSSL_CRMF_ENCRYPTEDVALUE *privateKey; + OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo; +} OSSL_CMP_CERTIFIEDKEYPAIR; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR) + +/*- + * PKIStatusInfo ::= SEQUENCE { + * status PKIStatus, + * statusString PKIFreeText OPTIONAL, + * failInfo PKIFailureInfo OPTIONAL + * } + */ +struct OSSL_cmp_pkisi_st { + OSSL_CMP_PKISTATUS *status; + OSSL_CMP_PKIFREETEXT *statusString; + OSSL_CMP_PKIFAILUREINFO *failInfo; +} /* OSSL_CMP_PKISI */; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI) +DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI) + +/*- + * RevReqContent ::= SEQUENCE OF RevDetails + * + * RevDetails ::= SEQUENCE { + * certDetails CertTemplate, + * crlEntryDetails Extensions OPTIONAL + * } + */ +typedef struct OSSL_cmp_revdetails_st { + OSSL_CRMF_CERTTEMPLATE *certDetails; + X509_EXTENSIONS *crlEntryDetails; +} OSSL_CMP_REVDETAILS; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS) +DEFINE_STACK_OF(OSSL_CMP_REVDETAILS) + +/*- + * RevRepContent ::= SEQUENCE { + * status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo, + * -- in same order as was sent in RevReqContent + * revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId + * OPTIONAL, + * -- IDs for which revocation was requested + * -- (same order as status) + * crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList + * OPTIONAL + * -- the resulting CRLs (there may be more than one) + * } + */ +struct OSSL_cmp_revrepcontent_st { + STACK_OF(OSSL_CMP_PKISI) *status; + STACK_OF(OSSL_CRMF_CERTID) *revCerts; + STACK_OF(X509_CRL) *crls; +} /* OSSL_CMP_REVREPCONTENT */; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT) + +/*- + * KeyRecRepContent ::= SEQUENCE { + * status PKIStatusInfo, + * newSigCert [0] Certificate OPTIONAL, + * caCerts [1] SEQUENCE SIZE (1..MAX) OF + * Certificate OPTIONAL, + * keyPairHist [2] SEQUENCE SIZE (1..MAX) OF + * CertifiedKeyPair OPTIONAL + * } + */ +typedef struct OSSL_cmp_keyrecrepcontent_st { + OSSL_CMP_PKISI *status; + X509 *newSigCert; + STACK_OF(X509) *caCerts; + STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist; +} OSSL_CMP_KEYRECREPCONTENT; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT) + +/*- + * ErrorMsgContent ::= SEQUENCE { + * pKIStatusInfo PKIStatusInfo, + * errorCode INTEGER OPTIONAL, + * -- implementation-specific error codes + * errorDetails PKIFreeText OPTIONAL + * -- implementation-specific error details + * } + */ +typedef struct OSSL_cmp_errormsgcontent_st { + OSSL_CMP_PKISI *pKIStatusInfo; + ASN1_INTEGER *errorCode; + OSSL_CMP_PKIFREETEXT *errorDetails; +} OSSL_CMP_ERRORMSGCONTENT; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT) + +/*- + * CertConfirmContent ::= SEQUENCE OF CertStatus + * + * CertStatus ::= SEQUENCE { + * certHash OCTET STRING, + * -- the hash of the certificate, using the same hash algorithm + * -- as is used to create and verify the certificate signature + * certReqId INTEGER, + * -- to match this confirmation with the corresponding req/rep + * statusInfo PKIStatusInfo OPTIONAL + * } + */ +struct OSSL_cmp_certstatus_st { + ASN1_OCTET_STRING *certHash; + ASN1_INTEGER *certReqId; + OSSL_CMP_PKISI *statusInfo; +} /* OSSL_CMP_CERTSTATUS */; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS) + +typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT; +DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT) + +/*- + * CertResponse ::= SEQUENCE { + * certReqId INTEGER, + * -- to match this response with corresponding request (a value + * -- of -1 is to be used if certReqId is not specified in the + * -- corresponding request) + * status PKIStatusInfo, + * certifiedKeyPair CertifiedKeyPair OPTIONAL, |